Exploit Title: Atlas Systems Aeon XSS Vulnerability
Vendor: Atlas Systems
Vulnerable Versions: 3.6 3.5
Tested Version: 3.6
Advisory Publication: Nov 12, 2014
Latest Update: Nov 12, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-7290
Solution Status: Fixed by Vendor
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore] (@justqdjing)
Aeon is special collections circulation and workflow automation software for your special collections library designed by special collections librarians.
Aeon improves customer service and staff efficiency while providing unparalleled item tracking, security and statistics.
What is Aeon?
“Aeon is request and workflow management software specifically designed for special collections libraries and archives. Aeon improves patron service and maximizes staff efficiency while providing unparalleled item tracking, security and statistics.The Aeon Web Interface enables your patrons to request items directly from your online catalog and finding aids for viewing in your reading room or ordering duplication and digital imaging services, and allows them to monitor fulfillment of their requests through a personalized web account. The Aeon Staff Client permits your staff to manage every step of every transaction, from shelf to patron and back again, with full control and ease. The Aeon Web Reports and custom search features provide quick access to complete patron and item request histories and offer a wide array of usage analyses”
“Atlas Systems, Inc. is a software development company headquartered in Virginia Beach, VA dedicated to serving libraries. Founded in July 1995 with the mission of “promoting library excellence through efficiency,” Atlas is best known for creating the ILLiad interlibrary loan management system now exclusively distributed by OCLC and used by more than 1,000 libraries worldwide. Focused on bringing the benefits of automation to library processes that have not been addressed by other software services, Atlas has introduced Ares, an electronic reserves solution, and Aeon, an online request and workflow management system specifically designed for special collections libraries and archives. Atlas takes a process-driven approach to software development. Atlas developers work closely with librarians first to understand the specific user services environment and then to design a system that improves service quality while achieving optimum efficiency and process control. Once the software has been created, Atlas provides implementation, training and ongoing product support, including continual development of new features and enhancements in response to client needs and desires. This workflow review and improvement approach to software design sets Atlas apart in the library automation market.”
(2) However, it is vulnerable to XSS Attacks.
(2.1) The first vulnerability occurs at “aeon.dll?” page, with “&Action” parameter.
(2.2) The second vulnerability occurs at “aeon.dll?” page, with “&Form” parameter.
2014-09-01: Report vulnerability to Vendor
2014-10-05: Vendor replied with thanks and vendor will change the source code